The new Anaplan APIs and integration connectors leverage Certificate Authority (CA) -issued certificates. These certificates can be obtained through your company's intermediary CA (typically issued by IT) or by purchasing it from a trusted Certificate Authority. Anaplan clients leveraging REST API v2.0 use both basic authentication and CA certificate based authentication. Examples of these clients include Anaplan Connect 1.4, Informatica Anaplan Connector, and Mulesoft 2.0.1.
If you are migrating your Anaplan Connector scripts from v1.3 to v1.4, your available options for authentication will be basic authentication or CA certificate based authentication.
This article outlines steps to perform in preparation for CA certificate authentication.
You can obtain a certificate from CA authority by submitting a request or submit a request with a certificate signing requiest (CSR) containing your private key.
Contact your IT or Security Operations organization to determine if your company already has an existing relationship with a CA or intermediary CA.
This section presents steps to import CA certificate into Internet Explorer and Mozilla Firefox. CA certificate will be exported in the next section to either a p12 or pfx format.
CA certificates may have .crt or .cer as file extensions.
Within Internet explorer, click on the Settings icon and select Internet option.
Navigate to the Content tab and then click on Certificates.
Click Import to launch the Certificate Import Wizard.
Click Browse to search & select the CA Certificate file. This file may have a file extension of .crt or .cer.
If a password was used when requesting the Certificate, enter it in this screen. Ensure that the “Mark this key as exportable” option is selected and click Next.
Select the certificate store in which to import the certificate and click Next.
Review the setting and click Finish.
The certificate should appear in the certificate store selected.
Within Firefox, select Options from the settings menu.
In the Options window, click Privacy & Security from the navigation pane on the left. Scroll to the very bottom and click on the View Certificates… button.
In the Certificate Manager, click the Import… button and select the certificate to convert and click Open.
The certificate should now show up in the Certificate Manager.
This section presents steps to export CA certificate from Internet Explorer (pfx) and Mozilla Firefox (p12).
Select the certificate imported above and click the Export… button to initiate the Certificate Export Wizard.
Select the option “Yes, export the private key” and click Next.
Select the option for Personal Informatica Exchange – PCKS #12 (.PFX) and click Next.
Create a password, enter it and confirm it in the following screen. This password will be used later on in the process. Click Next to continue.
Select a location to export the file and click Save.
Verify the file location and click Next.
Review the export settings, ensure that the Export Keys settings says “Yes”, if not start the export over. If all looks good, click Next. A message will appear when the export is successful.
To export the certificate from Firefox, click the Backup… button in the Certificate Manager. Select a location and a name for the file. Ensure that the Save as type: is “PKCS12 Files (*.p12)”. Click the Save button to continue.
Enter a password to be used later when exporting the public and private keys. Click the OK button to finish.
If you haven't done so already, install openssl tool for your operating system. List of third party binary distributions may be found on www.openssl.org or here. Examples in this article are shown for Windows platform.
Execute the following toto export the public and private keys exported above. In the commands listed below, the values that are customer specific are in Bold Italics. There is a screen shot at the end of this section that shows all of the commands run in sequence and it shows how the passwords relate between the steps.
Examples in this article assume location of the certificate as the working directory. If you are executing these commands from a different directory (ex: ...\openssl\bin), then ensure you provide absolute directory path to all the files.
Public key will be exported from the certificate (p12/pfx) using openssl tool. Result is a .pem (public_key.pem) file that will be imported into Anaplan using Anaplan's Tenant Administrator client.
NOTE: The command below will prompt for a password. This password was created in steps above during export.
openssl pkcs12 -clcerts -nokeys -in ScottSmithExportedCert.pfx -out public_key.pem
Remove everything before ---Begin Certificate --- (section highlighted in yellow). Ensure that the emailAddress value is populated with the user that will run the integrations.
This command will prompt for a password. This password is the password created in the export above. It will the prompt for a new password for the Private Key. It will also ask to confirm that password.
openssl pkcs12 -nocerts -in ScottSmithExportedCert.pfx -out private_key.pem
This command will prompt for the private key password from the step above. It will the prompt for a new password for the Bundle. It will also ask to confirm that password.
openssl pkcs12 -export -in public_key.pem -inkey private_key.pem -out bundle.p12 -name Scott -CAfile public_key.pem -caname Scott
In the command above,
Using keytool (typically found in <Java8>/bin), create a .jks file. This file will be referenced in Anaplan Connect 1.4 scripts for authentication.
Command below will prompt for a new password for the entry into the keystore. It will also ask to confirm that password. It will, then, prompt for the Bundle password from the step above.
keytool -importkeystore -destkeystore my_keystore.jks -srckeystore bundle.p12 -srcstoretype PKCS12
In the command above:
In this step, you will add public_key.pem file to list of certificates in Anaplan Tenant Administrator. This file was created & edited in the first two steps of the last section.
Log on to Anaplan Tenant Administrator. Navigate to Administration --> Security --> Certificates --> Add Certificate.
Since you will be migrating to CA Certificate based authentication, you will need to upgrade your Anaplan Connect and associated scripts from v1.3 to v1.4. Community article, Migrating from Anaplan Connect 1.3.x.x to Anaplan Connect 1.4 will guide you through necessary steps. Follow the steps outlined in the article to edit & execute your Anaplan Connect 1.4 script. Examples provided (Windows & Linux) at the end of the article will validate authentication to Anaplan using CA Certificates and will return list of user's workspaces in a tenant.